Security HOLE! beta 7

My point is that there is a serious SECURITY hole in vB#.

Nobody knew my massword. I never shared it with anyone exept the vB Tech support and I changed it after they were done.

As Scott said, you haven't proven any security hole. You've proven that someone got access to your admincp. That's it. I get plenty of hack attempts on my board everyday and no one has actually gotten in without figuring out someone's password and now that problem has been fixed with the MD5 encryption.

are you on a dedicated server?

I've seen people hack accounts by getting an account on the same host.

then its just a case of fetching there config file once you get an account.

require_once('/home/USER/www/forums/includes/config.php');
echo $dbpassword;
echo $dbusername;

fire that in to phpMyAdmin or even use it to edit your already registered user and your in.

You need a host which doesn't run apache as nobody so you can set your permissions to 750 etc

IF there is a security hole we have no way to even start fixing it if we have nothing to go on at the moment.

You should be more lenient with your accusations until you have proper proof to back them up.

Indeed. I have lurked at these boards for many years. I am not the world's best guy with understanding web scripts. But I do know Jelsoft has a reputation for doing their part to maintain security.

I also know that baseless accusations can be very damaging/hurtful. Without proof, all you are doing is slandering.

I dont think this is right. by looking at his attactment, there is definitely someone under IP 81.86.75.189 have some banning activities on his board, regardless how the guy did it.

That is evidence. Although vB3Dev.Com or any of us can be sure for rightnow that it's server's hole or vB hole, but chance can go to any of them, and his board is definitely being hacked.

so atleast (I think) vB team should take a look at what going on in his board, or help him out (as vB has reputation on security, isnt it? vB team should somehow help him with his vB3 being hacked).

The banning activity is logged (seen in admin log), so, in theory, the banning.php was executed. The username was not logged, so that the guy was somehow able to bypass the username checking, or permission checking. If someone does know his password, and execute the banning in ACP, his username (or whatever account he used) should be logged, isnt it?
(I dont believe that the guy can delete username after being logged. If he can, then why he doesnt just delete the whole log?)

so, this seem to be vB hole, more than a server's hole (I think).

anyway, some suggestions for investigation:

- turn on Error Handling & Logging
ACP/vBulletin Options/Error Handling & Logging
Log them to files, also check and see if any ACP login trial in your admin email

- Look at the DATE of your vB files in your server, and see if there's any abnormal date (say new files were uploaded, or changed by someone)
- download banning.php from your server, and compare with the original banning.php

checking all other files and see if any of them got changed is suggested, but time consumming. you can use BeyondCompare or Merge to do this. (remember, dont overwrite any file, download everying from your server to a seperate folder)

and of couse do all the checking that others suggested above.

You should look for some clue what's going on.

You should also contact some vB guy to help you personnaly (giving him permission to check your server too)

Good luck, and if it is a vB security hole, or even a server hole, let us know. We'd appreciate learning the experiences.



btw. people. he's being hacked. help him out . He didnt mean to say vB has bad security, he's just trying to deal with a hacking problem that he runs into. That's what Troubleshooting and Problems board is for, isnt it

We'd gladly help him if he provides more information.

The fact the username is blank isn't possible since it joins the user table on userid so if the user row doesn't exist it wont show. They must have an entry in the usr table.

Checking is done in global.php which every file in the modcp includes so it wouldn't be able to simply bypass it for one file.

If vB3dev.com is willing to give us more information, even getting us the userid from the adminlog table will prove that its a user who has been deleted since.

Then you can look up the adminlog to see when someone with that userid was removed.

Enough with everyone throwing in there 2 cents, we'll attempt to help him if we can obtain any information about the alleged security hole.

But then what's the security hole?

Looks more like someone managed to retrieve a password to either your database or to your own admin account. That's not a vBulletin security issue, but either your server or you.

Steve, pleade drop the "my **** don't stink" attitude already.

Last time I had a majot problem I gave you guys my login infor for my site and you guys were too stupid to find anything! I had to figure out the bug on my own.

I just gave you an actual creenshot of the log and that is what is there. If there is someone sompetent enough to figure this out on the Jelsoft team I'd galdly give him/her access to the site and db so they can look at it.

I am tired of your condensending bull**** attitude already. I own 13 vB licences, so don't treat me like **** ya imbasol!

THERE IS A MAJOR SECURITY HOLE IN VB3 AND YOU ARE AFRAID TO SEE THE EVIDENCE, obviously! Well, i don't care what it will do to your sales and reputation if this is your attitude.

Either your logs are just there for estetics and are not valid or the logs show what took place. I only posted a small chunk of it. It is huge and there are users who were deleted and banned and posts deleted en masse and half my users banned.

This is how it is period. DON'T COME HERE AND TELL US ALL WHAT IS NOT POSSIBLE WHEN SECURITY HOLES ARE FOUND IN YOUR PRODUCTS ALL THE ****ING TIME. PERIOD!

I do not see how. My password is very long and I never use the same password for any other site or login. I al also behind a firewall etc. 90% of the time and I do not have the password on my computer in any files. In fact if you see how long my password is you would freak out. and it is 50% numerical.

I think you are getting a little over the top here. The guys have asked you to give them more details, by running queries etc and they will try and work it out for you. In their eyes there is no way that this could happen, unless files etc have been modified - and they need more assistance from you to prove that this is the case. I have been a member here for a while, and seen how the staff here do care very much about possible security issues and always try and resolve them.

Scott's attitude is plain and clear "it is impossible" for that to happen so talking to Scott is like talking to a brick wall.

I offered them login info so they can see for themselves at the whole thing, complete site and db access. What is their response? ZERO!

vB3Dev.com and Kurafire, your posts in this thread are completely inappropriate. Consider this a warning to not do it again.

Maybe if you changed your attitude and started asking nicely, they would be more willing to help. Sending a PM/support ticket to a developer would be a lot more helpful to you, then posting in this thread.

Scott's attitude isnt its impossible. His attitude it is highly unlikely. Upon further investigation, if this turns out to be a vB security hole, I am willing to bet that Scott and the dev team wont stop working on it until the bug has been squashed. This has been their reputation in the past, so I am inclined to believe that this is still how they operate.